Full Report
An expert says Ukraine’s cyber defense offers a hard-earned lesson for the United States: stop assuming good defense means stopping every attack. On a recent episode of Cyber Focus, Greg Rattray argued that the more important test is whether a country or company can keep operating, recover quickly and adapt under pressure. Drawing on his work with the Cyber Defense…
Analysis Summary
# Best Practices: Operational Cyber Resilience
## Overview
These practices shift the focus from traditional "perimeter-only" defense to **Cyber Resilience**. Based on the lessons from Ukraine’s defense against Russian state-sponsored actors, these practices address the reality that breaches are inevitable. The goal is to ensure that when an attack succeeds, the organization can maintain critical functions, "illuminate" the threat to reduce its window of opportunity, and recover systems in hours or days rather than weeks.
## Key Recommendations
### Immediate Actions
1. **Shift Metric Focus:** Move from measuring "Attacks Blocked" to "Mean Time to Recover (MTTR)" and "Service Availability" during incidents.
2. **Illuminate the Environment:** Enable and centralize logging across all endpoints and cloud environments to ensure attackers cannot "operate in the dark."
3. **Establish Out-of-Band Communications:** Ensure leadership and technical teams have a non-corporate communication channel (e.g., Signal, Proton) for when the primary network (like Kyivstar) is leveled.
### Short-term Improvements (1-3 months)
1. **Intelligence Integration:** Establish formal data-sharing feeds with private-sector cyber security partners to gain external visibility into threat actor movements.
2. **Prioritize Functional Recovery:** Identify the "Crown Jewel" services (e.g., billing, customer connectivity, or core production) and create isolated, immutable backups for these specific workflows.
3. **Conduct "Live-Fire" Restoration Drills:** Test whether systems can be rebuilt from scratch, rather than just restored from a single point-of-failure backup.
### Long-term Strategy (3+ months)
1. **Adopt a "Resilience-First" Investment Model:** Reallocate budget from preventive tools (Firewalls/AV) toward recovery automation, redundancy, and incident response headcount.
2. **Public-Private Partnership Readiness:** Pre-negotiate contracts or agreements with third-party "clean room" restoration services or incident response collaboratives (like CDAC).
3. **Decentralize Infrastructure:** Reduce "blast radius" by segmenting critical infrastructure so that a failure in one region or department does not result in a total organizational blackout.
## Implementation Guidance
### For Small Organizations
- focus on **cloud-based resilience**. Use off-the-shelf SaaS solutions that offer built-in redundancy.
- Maintain a physical "break glass" folder containing hard copies of emergency contact lists and basic network diagrams.
### For Medium Organizations
- Implement **automated backup validation**. Ensure that backups are not only occurring but are verified as uncorrupted and bootable.
- Appoint a "Resilience Lead" whose job is to visualize "Day 2" of a total system failure and plan the recovery sequence.
### For Large Enterprises
- Focus on **"Illumination at Scale."** Use EDR/XDR tools to provide a unified view of the global battlespace.
- Participate in sector-specific ISACs (Information Sharing and Analysis Centers) to facilitate the "brightly illuminated cyberspace" Rattray mentions.
## Configuration Examples
*While specific code was not provided in the text, the following is a technical application of the "Illumination" principle:*
- **Logging Config:** Ensure `Sysmon` or equivalent is configured to capture Process Creation (Event ID 1) and Network Connection (Event ID 3) to prevent attackers from moving "in the dark."
- **Immutable Backups:** Configure S3 buckets with `Object Lock` in "Compliance Mode" to ensure even an attacker with admin credentials cannot delete recovery data.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF) 2.0:** Specifically the **Recover** and **Respond** functions.
- **ISO/IEC 27031:** Guidelines for information and communication technology readiness for business continuity.
- **CIS Controls:** Control 11 (Data Recovery) and Control 17 (Incident Response Management).
## Common Pitfalls to Avoid
- **The "Wall" Fallacy:** Assuming that a high investment in prevention (firewalls/EDR) means recovery planning is unnecessary.
- **Operating in Silence:** Failing to share threat data with partners, which allows attackers to reuse the same tactics against different departments or subsidiaries.
- **Under-Exercising:** Having a recovery plan on paper that has never been tested under the pressure of simulated "leveled infrastructure."
## Resources
- **CDAC (Cyber Defense Assistance Collaborative):** [cdac-ukraine[.]org]
- **McCrary Institute Cyber Focus Podcast:** [mccraryinstitute[.]com/podcast]
- **NIST Guide for Cybersecurity Resilience Policy:** [nist[.]gov/cyberframework]